SethSec

Thursday, August 31, 2017

TL;DR

There are a lot of great blogs out there that show you how to Kerberoast. In this post, I'm going to walk through the process of setting up your lab so that you can practice this attack. This involves creating a domain user and then mapping a SPN to that account. After that, I'll walk through using Empire to launch Invoke-Kerberoast, and I'll crack the hashes offline with Hashcat.

Pentest Home Lab Recap

If you don't already have an Active Directory lab and want to build one so that you can play along, check out my previous posts:

The Attack: Kerberoasting

Attack Goals

Domain privesc & lateral movement. If you have domain credentials and access to the domain, this is a relatively easy way to gain additional access within the domain. If all goes well, you'll end up with new domain credentials that might have administrative access to additional resources.

Creating SPNs in your Lab

"A service principal name (SPN) is a unique identifier of a service instance. SPNs are used by Kerberos authentication to associate a service instance with a service logon account. This allows a client application to request that the service authenticate an account even if the client does not have the account name."

I used to think you needed to install a service like IIS or SQL Server in order to set this up in your lab. Good news: Setting this up in the lab is much easier than that. All you need to do is execute the setspn command as an domain administrator and map a SPN to a valid account.

Step 1 - Create a new domain account for the test

If using powershell to create the user, you'll need to run this from the domain controller or another machine that has the ActiveDirectory powershell module installed. You'll also need to run this as an domain administrator or another account that has rights to add a new user:

As you will find in all of those great posts (and many others), there are lots of different tools that you can use to perform the Kerberoast attack. This part has been widely covered, but I still want to include the attack walk-through in this post for completeness. I'll quickly walk the what I consider to be really easy, reliable way to execute this attack in your lab:

Updating:
*If you have Empire installed but you have not updated Empire since 8/31/2017, git pull to current. There were some bug fixes and improvements made to the Invoke-Kerberoast module between the 27th and the 31st. You'll likely have to rerun the install script (make a backup first) as there were some major changes in v2.1 that require new dependencies.

And here is a cracked domain account (if you scroll up to the top of that hash on your own machine, you will see the username of the hash you just cracked.

Wrap Up

You did it. You created a SPN in your active directory lab, you used the Kerberoast attack pull out a password hash, and you cracked the password hash with Hashcat. Feel free to create some more to make the attack feel more realistic.

How does an organization prevent this from happening?

Make sure all accounts that have a SPN tied to them (usually service accounts) have a difficult to crack password. Something random and long.

Disable interactive login whenever you can for service accounts. That password doesn't do us nearly as much good if interactive login is disabled and we can't connect to a server with it.

In this third installment, I'm going to walk through setting up a pentest active directory home lab in your basement, closet, etc. I'll be using Proxmox VE, an open source virtualization environment (aka hypervisor) similar to Vmware ESXi or Citrix XEN.

What are we going to build?

At the end of this post, you will have a fully functional AD environment running on ProxmoxVE that you can use to make yourself a better penetration tester. I'm not going to assume you are familiar with ProxmoxVE or setting up Active Directory, so some of this might be review.

You will configure at least 2 virtual machines, most likely more:

You will create a Windows 2012r2 domain, promote one server to be a DC, and add additional hosts to the domain:

You will create at least 2 users and 1 administrator account:

To get started, you really only need a Domain Controller and a Workstation. To be able to test out more stuff, you'll probably end up wanting at least two workstations (User 1's workstation and User 2's workstation), and at least one more non DC server.

Example server specs

I'm including my server specs just as a reference point. I've found it really helpful in the past when people have done the same:

If you are building on consumer hardware like I did, I suggest just going right to 1TB of SSD and 32GB of RAM. I know it isn't cheap, but with only 500GB SSD and 16GB RAM I ran up against those limits pretty quickly.

Let's talk about network placement

You can get really fancy and run your lab in a restricted subnet, or you can just keep it simple and run it on the same flat network you use for everything else on your home network. You do not need to separate your lab from your home network. In other words, don't let network architecture stop you from setting up your lab. I've made that mistake before.

If you have a firewall or a router at home you can absolutely place your hypervisor on its own network and control access between your lab and your home network. This is what I am doing now. I have my home network somewhere on 192.168 and I have my lab on 10.0.0.0/24

Another note: I suggest that you use bridged mode for all virtual machines. You can do almost everything you want to do with NAT, but that means you won't be able to run tools against your lab unless they are being run from other virtual machines in the lab's private network.

Installing the hypervisor (Proxmox VE)

If you have a favorite hypervisor and don't want to try Proxmox VE, you can just skip this section.

5) Select I agree
6) Pick harddisk and select Next
7) Select Country, Time zone, and Keyboard Layout and select Next
8) Select a password and enter your email address (I have not gotten any email from them)
9) Configure management network interface and select Next

10) Select Next. This will begin the install
11) Click Reboot
12) At the console, you should see something like this:

13) Log into the console and update the OS:

apt-get update && apt-get -y upgrade

14) You are ready to log in and start building virtual machines
15) Navigate to the IP you gave your PVE (https://IP:8006)

16) Log in to web interface with username: root (and the password you specified at install)

17) SSH to the server - just to make sure you can

Troubleshooting tip: I was initially unable to reach my newly installed proxmox. It turns out that the default bridge was set up for eth0, but I was cabled into eth1. My eth1 is a better NIC, so rather than change the cable, I modified /etc/network/interfaces and switched the bridge from eth0 to eth1:

Getting Windows server software

If you are going to build on premises, you will need to get your hands on the following software:

Required - Windows Server (2012 or 2016)

Optional - Windows 7 (or 8 or 10)

In terms of getting the software, there are a few options:

Download evaluation versions, which are good for 180 days

See if your workplace has a key/iso that can be used in a lab environment

I think if you are a student you can get the OS's for free

For this post, I'll walk through the proccess of obtaining an Evaluation License. If you already have licensed copies of windows you can skip the next section:

Obtaining an evaluation license for Windows server

For my last AWS walk though, I built the AD lab on Windows Server 2016. For this post, to change it up, I'm going to use Windows Server 2012r2. If you want to use Server 2016, almost all of the steps should be the same.

1) Go here: https://www.microsoft.com/en-us/evalcenter/
2) Click the Evaluations square
3) Sign in with your Microsoft account. An old Hotmail account and/or a current outlook.com account should work
4) Click the Evaluations square again

5) Select the product you would like to evaluate (Windows Server 2012r2)

6) Select Register to continue

7) Enter your info

8) Select ISO

9) Select 64 bit and your language
10) Select Download

Downloading Windows 10 ISO

I'll walk through downloading the windows 10 ISO, but as I mentioned earlier, you can skip windows 10 and use Windows7/8 instead.

Configuring a Promox VM (Windows Server 2012r2)

5) Storage: Select local, and then your transferred ISOs should show up in that list. Select the correct windows server 2012 ISO and click next

6) Hard Disk: Click next
7) CPU: Click next
8) Memory: I liked to select Automatically allocate memory within this range, and for Windows I tell it to stay between 1 and 4GB. You can certainly tweak these based on how much RAM you have. 9) Click next

10) Network: Keep defaults (Bridged mode), and click next
11) Click finish
12) In the right side column, find and right click the newly created instance. Click start

Time/Sanity Saving Tip: I used to spend hours updating all of my virtual machines before I would make a snapshot or template, but eventually I realized that it was mostly a waste of time. Sure, there are a few times where you do want to test your tools against a fully patched box. But, if this is your first pentest lab, I suggest learning from my hours of wasted time and skipping the patches until you need them. This applies to both the servers and the desktops.

Installing Windows Server 2012r2

1) If using local virtualization (not cloud based), give it 24-32GB of HD space and 1-2GB of RAM. 2) Attach the ISO, boot up the virtual machine, and use this as a guide:

3) Accept Default settings and click Next
4) Click Install Now
5) Select Windows Server 2012 R2 Standard (server with a GUI)
6)Accept the license terms and click Next
7) Select Custom - New Installation
8) Highlight Drive0 unallocated space
9) Click Next
10) Create an admin password. Use something you don't mind other people seeing, as you might share stuff from this lab one day ;)
11) Use the proxmox shortcut icon to enter Ctrl+Alt+Delete, and log in:

12) On the right hand popup: Do you want to to find PCs, devices, etc. on the network: Yes
13) Do anything else you need to do on this VM before you convert it to a template. For instance, if you are not using a Eval license, you will want to run sysprep on the VM before you turn it into a template.

Converting a VM to a template in Proxmox

1) Shut down and power off your VM

2) On the left hand bar, right click on your Windows2012r2 VM and select Convert to template

3) Click Yes at the confirmation page. Note: It will take a few minutes for the template to show up. You might see it more quickly if you refresh the proxmox page.

4) That's it. You are ready to launch VMs from the template by right clicking on the template and selecting clone

VM #2 - Creating your 2012r2 Domain Controller

Creating a new VM by cloning your template

1) On the first tab of the Clone wizard, you will be asked if you would like to create a linked clone or a full clone. Linked clones are great, but that means you can never get rid of your template, so just be mindful of that. I don't like using linked clones when cloning one live VM into another, because it is hard to keep track. But with templates, I use them, because it is easier for me to make sure I never touch my templates. This is another reason why a 1TB drive is really nice.
2) Right click on your template and select Clone

3) Name the first clone in the wizard (This will be your DC), and click clone

4) Start DC01

5) Assign a static IP. This is especially important for your DC. It doesn't matter if you chose NAT or bridged mode, but in either case, you will want a static IP in that range for your DC.

Right click on network icon on bottom right and click Network and Sharing

Click Ethernet

Properties

IPv4

Properties

6) This is not required, but this is a good time to change your hostname as well:

Click the folder on the launch bar

Right click This PC on the left side

Properties, Change settings

Change

Change the computer name

Reboot

Promoting your first server to a DC

1) Take a snapshot just in case you mess up :). Trust me, do it!

To take a snapshot in Proxmox, Select your VM, switch from Console to Snapshot on the second left most bar, and click Take Snapshot.

2) In the Server Manager, at the top right click manage, add roles and features
3) Next, Next, Next
4) Select Active Directory Domain Services
5) Select Add Features
6) Select DNS Server
7) Select Add Features
8) Next, Next, Next, Next
9) Select Restart the destination server automatically if required
10) Yes, Install, Close
11) In server manager, you will see a yellow caution triangle. Click it,
12) Click promote this server to a domain controller
13) Add new forest
14) Name your domain: you can do lab.local for now, or you can make room for more domains in the future with something like lab.proxmox.local.
15) Click Next
16) Create and record the DSRM password
17) Click Next (ignore warning), Next, Next, Next, Install
18) You will see: You are about to be signed out.
19) Click close (or just hang tight)

You now have an Active Directory Domain - Add some users

I'm going to walk you through adding a bunch of users, and how to make one of those users a domain administrator. I am not going to cover setting up OU's in this post. If you are interested doing that now, take a look at this awesome post from Jared Haight: Setting up an Active Directory Lab - Part 3

Within server manager, which should have just popped up, click tools at the top right and select active directory users and computers

Double click on your domain to expand it

Right click on users and add new user

Name your users however you want, but I like to keep it simple:

First: User

Last: 1

Login name: user1

Next

Enter an easy to remember/crack password

Uncheck user must change at next login

Check password never expires

Next

Finish

Repeat for user2

Then I suggest adding some user accounts that you will use as admins. You can go with user1-admin, or even just a simple admin1, admin2

VM #3: Creating your second 2012r2 server

This VM is optional, but the beauty of using a hypervisor on dedicated hardware is that you most likely have memory and storage space to spare.

1) Repeat steps 1 and 2 on VM2, but this time name it something like SRV01:

2) Start the server and add it to the domain

Configuring DNS

To add any machine to the domain, the one thing you NEED to do is set the domain controller as the primary DNS server.

1) RDP to server
2) Right click on the networking icon at the bottom left and click Open Network and Sharing Center
3) Select Ethernet Adapter
4) Change the primary DNS server to be the IP address of your DC

Adding host to the domain

While this process is fairly straightforward, I feel like it never works the first time for me. If you run into issues, read the notes right after these steps for ideas.

Having trouble adding your host to the domain? Here are some troubleshooting tips:

1) Can you ping the IP address of your DC from your other server(s)?
2) Can you resolve the hostname of your DC from your other server(s)?
3) Can you navigate to \\IP_ADDRESS_OF_DC from your other server(s)?

Here are things to look for:

Network Config Settings
--- Did you give your DC the right subnet mask when you configured the static IP?
--- Did you configure the primary DNS server properly on your non-DC host?

Are you typing in the right domain name when attempting to add your host?

Adding domain users to the remote desktop group

You might not ever even need to RDP to your hosts because the proxmox console is pretty good. I still like to do this anyway though.

1) Select the folder icon in the task bar

2) Right click This PC

3) Click Properties

4) On the left, click Remote Settings, and enter the domain administrator credentials

5) In the Remote Desktop section of the window, click Select Users...

6) Click Add...

7) Type Domain users and click Check Names

8) Click OK, OK, OK

You should now be able to RDP to this host with any of your domain users (User1, User2, Admin1)

VM #4: Creating our Windows 10 Template

Everything you need to configure a Windows 10 VM and add it to the domain should is shown above in one way or another. Here is the high level approach:

1) Create the Windows10 VM

2) Install Windows10 using the ISO we downloaded earlier

3) Configure the OS with any custom configurations or software before turning it into a template

4) Turn VM#4, this VM, into a template

VM #5 & #6: Creating two Windows 10 VMs from the template

1) Clone the template to be one Windows10 VM at minimum, but feel free to use 2 or 3 VMs

Wrap Up

You did it! You should now have 1 DC, and 1-3 additional hosts set up in ProxmoxVE. You are now ready to try all sorts of stuff, like CrackMapExec, Empire, Metasploit, Mimikatz, Kerberoasting, and more. My next posts will walk through running these tools against your active directory pentest lab.

Are there any specific tools or techniques related to penetration active directory you would like me to cover? If so, leave a comment! If I know how to do it, I'll cover it. If I don't, I'll try to learn it and then I'll cover it!

What are we going to build?

At the end of this post, you will have a fully functional AD environment in AWS that you can use to make yourself a better penetration tester. I'm not going to assume you are familiar with AWS or setting up Active Directory, so some of this might be review.

You will configure 2-4 AWS EC2 instances:

You will create a Windows 2016 domain, promote one server to be a DC, and add additional hosts to the domain:

You will create at least 2 users and 1 administrator account:

To get started, you really only need a Domain Controller and a Workstation. To be able to test out more stuff, you'll probably end up wanting at least two workstations (User 1's workstation and User 2's workstation), and at least one more non DC server.

Note: If you missed my last post, I mentioned that AWS does not provide an AMI (AMIs are like images) for Windows 7/8/10. I also mentioned that while not a true replica of what we run into on the job, I have found that you can just treat servers as if they were clients, and it is good enough. In other words, you have everything you need to simulate a compromised victim's workstation for the purposes of our testing with Windows Server 2012/2016. So for our AWS lab, our workstations will just be additional Windows 2016 servers.

EC2: You pay for EC2 instances only for the hours that the instance is running

EBS: You pay for EBS volumes from the time they are provisioned to the time they are removed. This means that even if you don't use your lab for the entire month, you will still get charged for the provisioned EBS space.

8) Accept defaults and click Next: Add Storage (Or if you are more familiar with AWS, feel free to create a new VPC or a new subnet for this lab)

9) Accept defaults and click Next: Add Tags

10) Accept defaults and click Next: Configure Security Group

Time to configure your security group. If you are unfamiliar with security groups, but familiar with traditional firewalls, think about it like this: A security group is like a firewall rule and you apply as many rules as you want to each AWS instance. The combination of applied rules is kind of like your per instance firewall policy.

For your lab, I suggest you limit RDP access to your public ISP assigned address (if you are doing this at work, I suggest using a VPN to connect to your lab). The cool thing is that if this changes, you can just log into the AWS console from anywhere and change the IP in the security group.

11) Click Review and Launch, then Launch

12) If you haven't created an AWS keypair yet, create one. If you have, you know what to do here.

13) Launch Instance

14) Let's go see our new instance. Go to Services > EC2

15) You will now see a new running instance. Click the Running Instances link

16) Your new instance will say Initializing under Status Checks. It is a good idea to rename it.

17) While it finishes initializing, find the instance's public IP. You can find it to the right under IPv4 public IP, or in the lower frame, in the description tab, under IPv4 Public IP.

18) Select your instance and click Connect

19) Download the RDP file, and point the window to your private key so you can decrypt the random password AWS gave your Windows instance. Once you decrypt that password, save it somewhere safe, like in a password vault (i.e., Keypass, PasswordSafe).

20) Double click the AWS RDP file, or just put the public IP in RDP manually and choose Administrator as the username

21) Enter the decrypted password

22) You are now logged into your first server.

Instance #2: This will be Workstation01

There is a really cool feature within the EC2 console called "Launch More Like This". This launches the EC2 instance wizard and uses the same EC2 settings as the selected instance, such as security groups, sizing preferences, desired subnet, etc. But, this is NOT like cloning a VM. Everything inside the container is going to be vanilla.

1) Go back to EC2 dashboard

2) Click on Windows Server 2016-1 and click Actions, Launch more like this.

3) Click Launch

4) Select same keypair you created last time, and click Launch Instances

5) When it is fully running, download the RDP file again and decrypt the password

6) Double click the AWS RDP file, or just put the public IP in RDP manually and choose Administrator as the username

7) Enter the decrypted password

8) You are now logged into your second machine

Disable IE Enhanced Security Configuration

This will make IE act more like Windows10, specifically it will not require you to add every new site to the Trusted Sites list.

1) Open Server Manager

2) Click Local Server

3) In Properties, navigate to IE Enhanced Security Configuration, and click On

4) Change both options to Off, and click OK

5) Restart IE

Instances #3 & #4?

You can either stop here and you'll have:

WindowsServer2016-1 - This will be your DC

WindowsServer2016-2 - This will be your workstation

Or, you can make two more servers and you will have:

WindowsServer2016-1 - This will be your DC

WindowsServer2016-2 - This will be user 1's workstation

WindowsServer2016-3 - This will be server1

WindowsServer2016-4 - This will be user 2's workstation

Create security groups so your LAN can talk to each other

Now that we have spun up all of our servers and have successfully RDP'd to each of them, there is one more thing we need to do before we can create our domain. We need to create an AWS Security Group that allows the hosts on your subnet to talk to each other.

6) Select the new security group *in addition* to the RDP security group you already have selected

7) Click Assign Security Groups

8) Repeat this for ALL Lab instances

Creating the Domain

Setting up WindowsServer2016-1 to be a Domain Controller

There are a few things you'll need to do and some you might want to do before creating your domain and promoting your first server to a domain controller.

Configure a Static IP (Required)

The first thing you want to do is change your private IP from dynamic to static. The private IP address that AWS gives your instance "remains associated with the network interface when the instance is stopped and restarted, and is released when the instance is terminated." So while this address will not change, it is still dynamic as far as your instance is concerned, and will not pass a "promotion to DC" prerequisite check in Server 2016. There might be a better way to do this, but for me, all I did was configure the instance with a static address and I used the AWS assigned dynamic address as the IP address.

1) If you are new to Server 2012/2016, you get to this by right clicking on the networking icon at the bottom left and click Open Network and Sharing Center

2) Click the Ethernet adapter

3) Use Powershell to find the current IP, netmask, and gateway. Set the static configuration to match.

Change the Hostname (Optional)

The next thing you might want to do, and this is optional, is to change the hostname to something like AWS-DC01.

1) If you are new to Server 2012/2016, click the folder icon in the task bar, right click This PC, and click properties

2) The rest should be familiar:

3) You will have to reboot at this point. Give it a few minutes and log back in.

Promote the server to a Domain Controller

Now let's finally make it a DC.

1) Open Server Manager

2) Click Manage, Add Roles and Features

3) Next, Next, Next

4) Select Active Directory Domain Services, then click Add Features

5) Select DNS Server, then click Add Features

6) Next, Next, Next, Install, Close

7) In Server Manager, click the yellow triangle and click Promote this server to a domain controller

8) In the wizard, select Add new forest, and give it a root domain name: aws.local

9) Give it a restore password and drop that in your password manager

10) Next, Next, Next, Next, Next, Install

11) When it is done, click close (or just wait and it will reboot)

12) Give it a minute and connect back. Once you connect, it will take a few minutes to fully install.

You now have an Active Directory Domain - Add some users

I'm going to walk you through adding a bunch of users, and how to make one of those users a domain administrator. I am not going to cover setting up OU's in this post. If you are interested doing that now, take a look at this awesome post from Jared Haight: Setting up an Active Directory Lab - Part 3

1) Within server manager, click tools at the top right and select active directory users and computers

2) Double click on your domain to expand it (either on the left or the right frame)

Having trouble adding your host to the domain? Here are some troubleshooting tips:

1) Can you ping the IP address of your DC from your other server(s)?
2) Can you resolve the hostname of your DC from your other server(s)?
3) Can you navigate to \\IP_ADDRESS_OF_DC from your other server(s)?

Here are things to look for:

AWS Security Groups - Make sure you didn't mess up your security group.
--- Did you choose All TCP instead of All traffic?
--- Did you use the wrong subnet mask for your source (or use the wrong subnet altogether)?

Network Config Settings
--- Did you give your DC the right subnet mask when you configured the static IP?
--- Did you configure the primary DNS server properly on your non-DC host?

Are you typing in the right domain name when attempting to add your host?

Add domain users to the remote desktop group

1) Select the folder icon in the task bar

2) Right click This PC

3) Click Properties

4) On the left, click Remote Settings, and enter the domain administrator credentials

5) In the Remote Desktop section of the window, click Select Users...

6) Click Add...

7) Type Domain users and click Check Names

8) Click OK, OK, OK

You should now be able to RDP to this host with any of your domain users (User1, User2, Admin1)

Wrap-Up

You did it! You should have 1 DC, and 1-3 additional hosts set up in AWS. You are now ready to try all sorts of stuff, like Empire, Metasploit, Mimikatz, Kerberoasting, and more.